Create your own offline Certificate Request for SCOM Off-Domain Server

Posted by : at

Category : troubleshooting   guides

In the below example we are assuming your machine is named IIS-2019.

Create a new file on your machine and name it:


Edit the file to include something similar to the following:

Subject="CN=IIS-2019,OU=Servers,O=Support Team,L=Charlotte,S=North Carolina,C=US"
Exportable=TRUE ; Private key is exportable
KeySpec=1 ; Key Exchange – Required for encryption
KeyUsage=0xf0 ; Digital Signature, Key Encipherment

; Optionally include the Certificate Template
; [RequestAttributes]
; CertificateTemplate="OperationsManager"

OID= ; Server Authentication
OID=  ; Client Authentication

[Extensions] = "{text}" ; SAN - Subject Alternative Name
_continue_ = ""

Open an Administrator Command Prompt and navigate to where you saved the above file.
Run the following:

Certreq -New -f IIS-2019-CertReq.inf IIS-2019-CertRequest.req

Upload the above (IIS-2019-CertRequest.req) file to your Certificate Authority.

Once you receive back your signed certificate, import the Certificate into the Local Computer Personal Certificate Store:


On a side note. If you run the SCOM Certificate Checker script above and it shows an output that looks like this:
Certificate Checker Script Missing Private Key

You may also notice that the Private Key for the Certificate is missing:
Certificate Private Key Missing

It is possible you may need to run the following command in an Administrator Command Prompt to restore the Keyspec and Private Key (replace the numbers & letters after my with the serial number of your Certificate):

certutil -repairstore my 1f00000008c694dac94bcfdc4a000000000008

certutil Repair Store - Command Output

After you run the certutil command above, you will notice the Certificate is now showing a Private Key (notice the key icon):
Certificate Private Key Present

You should now see this when you run the SCOM Certificate Checker Powershell Script:
Certificate Checker Script Successful

Now you just need to import the Certificate with MOMCertImport (located on the SCOM Installation Media):
MOMCertImport Location

Right Click and Run the Program as Administrator, select the certificate you imported:
Confirm Certificate in MOMCertImport

Page Views

About Blake Drumm
Blake Drumm

I like to collaborate and work on projects. My skills with Powershell allow me to quickly develop automated solutions to suite my customers, and my own needs.

Email :

Website :

About Blake Drumm

This is the personal technical blog for Blake Drumm. Currently primarly focused towards Microsoft System Center Enterprise Management Products. I am an Microsoft Support Engineer on the System Center North America Support Team. I am new to blogging. But this seems like a good time to start. July 6th, 2021 marks my first day as a Microsoft FTE converting from a contractor. I had been working as a contractor since January 2020 (1 year, 5 months, 22 days)!

Follow @blakedrumm
Useful Links